CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives

Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.

Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.

PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers.

Nicolas Merle, a researcher at industrial cybersecurity firm Applied Risk, discovered that the PowerFlex 525 drive is affected by a serious DoS flaw that can be exploited to disrupt the configuration and control software associated with the device by sending it specially crafted UDP packets that cause the Common Industrial Protocol (CIP) network stack to crash.

Allen Bradley PowerFlex 525 AC driveExploitation causes the software to disconnect from the device and block legitimate users out, but an attacker can continue sending commands to the system. A hacker could, among other things, change the speed of the drive or send it start/stop commands, Merle told SecurityWeek.

The only way for victims to regain access to the device is to perform a power reset.

“The bug corrupts the CIP daemon in a way that some values returned by the devices are corrupted. It also prevents any new connection to be established with the device,” Merle explained. “One of the issues is that the control software used to interact with this device monitors all necessary values at all times and once the bug is exploited, the software receives an unexpected value and will try to restart the connection – effectively locking itself out.”

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

“An attacker, on the other hand, can write a simple script to initiate the connection and not close it. The commands can still be sent to the device in this state and the device will still execute them. In this way, as long as the attacker does not stop the connection, they can continue to send commands and request information. As soon as the connection is terminated, a cold reboot is required for the device to accept new connections,” the researcher added.

Applied Risk says it has uncovered the flaw in version 5.001 of the software, but believes older versions are likely affected as well. The firm says Rockwell Automation has developed a patch, but the vendor has yet to publish a security advisory.

Advertisement. Scroll to continue reading.

Related: No Patches for Critical Flaws in Fuji Electric Servo System, Drives

Related: Rockwell Automation to Patch Publicly Disclosed Power Monitor Flaws

Related: Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.